This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/CodeGen/
-
CodeGen/
2
CGBuiltin.cpp
-
CGCall.cpp
-
CodeGenFunction.h
-
test/CodeGen/
-
CodeGen/
-
catch-undef-behavior.c

Differential D9673

Check for null pointers given to memcpy with ubsan
ClosedPublic

Authored by nlopes on May 11 2015, 12:00 PM.

Download Raw Diff

Details

Reviewers

samsonov
rsmith

Commits

rG1ba2d78b9a12: ubsan: Check for null pointers given to certain builtins, such as memcpy…
rC238657: ubsan: Check for null pointers given to certain builtins, such
rL238657: ubsan: Check for null pointers given to certain builtins, such

Summary

gcc 4.9 just got more aggressive and is now exploiting the fact that input pointers to memcpy/memmove cannot be null (even if the size is 0).
This patch adds support to ubsan to check for this UB. Very important since it's already being exploited by gcc.

Diff Detail

Repository: rL LLVM

Event Timeline

nlopes updated this revision to Diff 25492.May 11 2015, 12:00 PM

nlopes retitled this revision from to Check for null pointers in ubsan.

nlopes updated this object.

nlopes edited the test plan for this revision. (Show Details)

nlopes set the repository for this revision to rL LLVM.

nlopes changed the edit policy from "All Users" to "Administrators".

nlopes changed the edit policy from "Administrators" to "All Users".

nlopes retitled this revision from Check for null pointers in ubsan to Check for null pointers given to memcpy with ubsan.

nlopes added a subscriber: Unknown Object (MLST).

Wait a second, won't UBSan handle this automatically if memcpy/memmove are declared with attribute((nonnull)) in the header? Otherwise, is there a change to the standard that imposes these additional constraints on memcpy/memmove?

Wait a second, won't UBSan handle this automatically if memcpy/memmove are
declared with attribute((nonnull)) in the header? Otherwise, is there
a change to the standard that imposes these additional constraints on
memcpy/memmove?

Not really. memcpy/memmove calls are handled by CGBultin and not CGCall.
It's a different code path.
Nuno

In D9673#170474, @nlopes wrote:

Wait a second, won't UBSan handle this automatically if memcpy/memmove are
declared with attribute((nonnull)) in the header? Otherwise, is there
a change to the standard that imposes these additional constraints on
memcpy/memmove?

Not really. memcpy/memmove calls are handled by CGBultin and not CGCall.
It's a different code path.
Nuno

Interesting. I think that if we decide to implement such a check, we shouldn't depend on
attributes specified in the headers, so nonnull-attribute is no longer relevant. There are another
kind of compiler builtins which worth extra checks, and which don't even require headers - e.g. behavior of __builtin_ctz(0)
is undefined. I think we should implement another check kind -fsanitize=builtin that would verify arguments of
various builtin functions.

nlopes added reviewers: samsonov, rsmith.May 24 2015, 8:55 AM

In D9673#170543, @samsonov wrote:

In D9673#170474, @nlopes wrote:

Wait a second, won't UBSan handle this automatically if memcpy/memmove are
declared with attribute((nonnull)) in the header? Otherwise, is there
a change to the standard that imposes these additional constraints on
memcpy/memmove?

Not really. memcpy/memmove calls are handled by CGBultin and not CGCall.
It's a different code path.
Nuno

Interesting. I think that if we decide to implement such a check, we shouldn't depend on
attributes specified in the headers, so nonnull-attribute is no longer relevant. There are another
kind of compiler builtins which worth extra checks, and which don't even require headers - e.g. behavior of __builtin_ctz(0)
is undefined. I think we should implement another check kind -fsanitize=builtin that would verify arguments of
various builtin functions.

Well, I think in the end they are all in the UB category, so I think they fall in the scope of -fsanitize=undefined.
Nuno

I agree that we should be respecting the __attribute__((nonnull)) on these functions whether or not we emit them as builtin calls; as such, it makes sense to me for this to be under -fsanitize=nonnull-attribute. A couple of minor copy-paste issues and then this looks fine to me, but please wait to make sure that @samsonov is persuaded.

lib/CodeGen/CGBuiltin.cpp
715	The `0` here should be a `1`.
776	Likewise.

Closed by commit rL238657: ubsan: Check for null pointers given to certain builtins, such (authored by nlopes). · Explain WhyMay 30 2015, 9:16 AM

This revision was automatically updated to reflect the committed changes.

thesamesam added a subscriber: thesamesam.Oct 9 2023, 3:15 PM

Herald added a project: Restricted Project. · View Herald TranscriptOct 9 2023, 3:15 PM

Herald added a subscriber: bollu. · View Herald Transcript

MaskRay mentioned this in rG792674400f6f: -fsanitize=alignment: check memcpy/memmove arguments (#67766).Oct 9 2023, 11:02 PM

Revision Contents

Path

Size

lib/

CodeGen/

CGBuiltin.cpp

8 lines

CGCall.cpp

25 lines

CodeGenFunction.h

5 lines

test/

CodeGen/

catch-undef-behavior.c

28 lines

Diff 25492

lib/CodeGen/CGBuiltin.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 703 Lines • ▼ Show 20 Lines	RValue CodeGenFunction::EmitBuiltinExpr(const FunctionDecl *FD,
case Builtin::BImemcpy:		case Builtin::BImemcpy:
case Builtin::BI__builtin_memcpy: {		case Builtin::BI__builtin_memcpy: {
std::pair<llvm::Value*, unsigned> Dest =		std::pair<llvm::Value*, unsigned> Dest =
EmitPointerWithAlignment(E->getArg(0));		EmitPointerWithAlignment(E->getArg(0));
std::pair<llvm::Value*, unsigned> Src =		std::pair<llvm::Value*, unsigned> Src =
EmitPointerWithAlignment(E->getArg(1));		EmitPointerWithAlignment(E->getArg(1));
Value *SizeVal = EmitScalarExpr(E->getArg(2));		Value *SizeVal = EmitScalarExpr(E->getArg(2));
unsigned Align = std::min(Dest.second, Src.second);		unsigned Align = std::min(Dest.second, Src.second);
		EmitNonNullArgCheck(RValue::get(Dest.first), E->getArg(0)->getType(),
		E->getArg(0)->getExprLoc(), FD, 0);
		EmitNonNullArgCheck(RValue::get(Src.first), E->getArg(1)->getType(),
		E->getArg(1)->getExprLoc(), FD, 0);
		rsmithUnsubmitted Not Done Reply Inline Actions The `0` here should be a `1`. rsmith: The `0` here should be a `1`.
Builder.CreateMemCpy(Dest.first, Src.first, SizeVal, Align, false);		Builder.CreateMemCpy(Dest.first, Src.first, SizeVal, Align, false);
return RValue::get(Dest.first);		return RValue::get(Dest.first);
}		}

case Builtin::BI__builtin___memcpy_chk: {		case Builtin::BI__builtin___memcpy_chk: {
// fold __builtin_memcpy_chk(x, y, cst1, cst2) to memcpy iff cst1<=cst2.		// fold __builtin_memcpy_chk(x, y, cst1, cst2) to memcpy iff cst1<=cst2.
llvm::APSInt Size, DstSize;		llvm::APSInt Size, DstSize;
if (!E->getArg(2)->EvaluateAsInt(Size, CGM.getContext()) \|\|		if (!E->getArg(2)->EvaluateAsInt(Size, CGM.getContext()) \|\|
▲ Show 20 Lines • Show All 41 Lines • ▼ Show 20 Lines	RValue CodeGenFunction::EmitBuiltinExpr(const FunctionDecl *FD,
case Builtin::BImemmove:		case Builtin::BImemmove:
case Builtin::BI__builtin_memmove: {		case Builtin::BI__builtin_memmove: {
std::pair<llvm::Value*, unsigned> Dest =		std::pair<llvm::Value*, unsigned> Dest =
EmitPointerWithAlignment(E->getArg(0));		EmitPointerWithAlignment(E->getArg(0));
std::pair<llvm::Value*, unsigned> Src =		std::pair<llvm::Value*, unsigned> Src =
EmitPointerWithAlignment(E->getArg(1));		EmitPointerWithAlignment(E->getArg(1));
Value *SizeVal = EmitScalarExpr(E->getArg(2));		Value *SizeVal = EmitScalarExpr(E->getArg(2));
unsigned Align = std::min(Dest.second, Src.second);		unsigned Align = std::min(Dest.second, Src.second);
		EmitNonNullArgCheck(RValue::get(Dest.first), E->getArg(0)->getType(),
		E->getArg(0)->getExprLoc(), FD, 0);
		EmitNonNullArgCheck(RValue::get(Src.first), E->getArg(1)->getType(),
		E->getArg(1)->getExprLoc(), FD, 0);
		rsmithUnsubmitted Not Done Reply Inline Actions Likewise. rsmith: Likewise.
Builder.CreateMemMove(Dest.first, Src.first, SizeVal, Align, false);		Builder.CreateMemMove(Dest.first, Src.first, SizeVal, Align, false);
return RValue::get(Dest.first);		return RValue::get(Dest.first);
}		}
case Builtin::BImemset:		case Builtin::BImemset:
case Builtin::BI__builtin_memset: {		case Builtin::BI__builtin_memset: {
std::pair<llvm::Value*, unsigned> Dest =		std::pair<llvm::Value*, unsigned> Dest =
EmitPointerWithAlignment(E->getArg(0));		EmitPointerWithAlignment(E->getArg(0));
Value *ByteVal = Builder.CreateTrunc(EmitScalarExpr(E->getArg(1)),		Value *ByteVal = Builder.CreateTrunc(EmitScalarExpr(E->getArg(1)),
▲ Show 20 Lines • Show All 5,946 Lines • Show Last 20 Lines

lib/CodeGen/CGCall.cpp

Show First 20 Lines • Show All 2,709 Lines • ▼ Show 20 Lines	if (StackBase) {
CGF.DeactivateCleanupBlock(StackCleanup, StackBase);		CGF.DeactivateCleanupBlock(StackCleanup, StackBase);
llvm::Value *F = CGF.CGM.getIntrinsic(llvm::Intrinsic::stackrestore);		llvm::Value *F = CGF.CGM.getIntrinsic(llvm::Intrinsic::stackrestore);
// We could load StackBase from StackBaseMem, but in the non-exceptional		// We could load StackBase from StackBaseMem, but in the non-exceptional
// case we can skip it.		// case we can skip it.
CGF.Builder.CreateCall(F, StackBase);		CGF.Builder.CreateCall(F, StackBase);
}		}
}		}

static void emitNonNullArgCheck(CodeGenFunction &CGF, RValue RV,		void CodeGenFunction::EmitNonNullArgCheck(RValue RV, QualType ArgType,
QualType ArgType, SourceLocation ArgLoc,		SourceLocation ArgLoc,
const FunctionDecl *FD, unsigned ParmNum) {		const FunctionDecl *FD,
if (!CGF.SanOpts.has(SanitizerKind::NonnullAttribute) \|\| !FD)		unsigned ParmNum) {
		if (!SanOpts.has(SanitizerKind::NonnullAttribute) \|\| !FD)
return;		return;
auto PVD = ParmNum < FD->getNumParams() ? FD->getParamDecl(ParmNum) : nullptr;		auto PVD = ParmNum < FD->getNumParams() ? FD->getParamDecl(ParmNum) : nullptr;
unsigned ArgNo = PVD ? PVD->getFunctionScopeIndex() : ParmNum;		unsigned ArgNo = PVD ? PVD->getFunctionScopeIndex() : ParmNum;
auto NNAttr = getNonNullAttr(FD, PVD, ArgType, ArgNo);		auto NNAttr = getNonNullAttr(FD, PVD, ArgType, ArgNo);
if (!NNAttr)		if (!NNAttr)
return;		return;
CodeGenFunction::SanitizerScope SanScope(&CGF);		SanitizerScope SanScope(this);
assert(RV.isScalar());		assert(RV.isScalar());
llvm::Value *V = RV.getScalarVal();		llvm::Value *V = RV.getScalarVal();
llvm::Value *Cond =		llvm::Value *Cond =
CGF.Builder.CreateICmpNE(V, llvm::Constant::getNullValue(V->getType()));		Builder.CreateICmpNE(V, llvm::Constant::getNullValue(V->getType()));
llvm::Constant *StaticData[] = {		llvm::Constant *StaticData[] = {
CGF.EmitCheckSourceLocation(ArgLoc),		EmitCheckSourceLocation(ArgLoc),
CGF.EmitCheckSourceLocation(NNAttr->getLocation()),		EmitCheckSourceLocation(NNAttr->getLocation()),
llvm::ConstantInt::get(CGF.Int32Ty, ArgNo + 1),		llvm::ConstantInt::get(Int32Ty, ArgNo + 1),
};		};
CGF.EmitCheck(std::make_pair(Cond, SanitizerKind::NonnullAttribute),		EmitCheck(std::make_pair(Cond, SanitizerKind::NonnullAttribute),
"nonnull_arg", StaticData, None);		"nonnull_arg", StaticData, None);
}		}

void CodeGenFunction::EmitCallArgs(CallArgList &Args,		void CodeGenFunction::EmitCallArgs(CallArgList &Args,
ArrayRef<QualType> ArgTypes,		ArrayRef<QualType> ArgTypes,
CallExpr::const_arg_iterator ArgBeg,		CallExpr::const_arg_iterator ArgBeg,
CallExpr::const_arg_iterator ArgEnd,		CallExpr::const_arg_iterator ArgEnd,
const FunctionDecl *CalleeDecl,		const FunctionDecl *CalleeDecl,
Show All 11 Lines	if (HasInAllocaArgs) {
Args.allocateArgumentMemory(*this);		Args.allocateArgumentMemory(*this);
}		}

// Evaluate each argument.		// Evaluate each argument.
size_t CallArgsStart = Args.size();		size_t CallArgsStart = Args.size();
for (int I = ArgTypes.size() - 1; I >= 0; --I) {		for (int I = ArgTypes.size() - 1; I >= 0; --I) {
CallExpr::const_arg_iterator Arg = ArgBeg + I;		CallExpr::const_arg_iterator Arg = ArgBeg + I;
EmitCallArg(Args, *Arg, ArgTypes[I]);		EmitCallArg(Args, *Arg, ArgTypes[I]);
emitNonNullArgCheck(*this, Args.back().RV, ArgTypes[I], Arg->getExprLoc(),		EmitNonNullArgCheck(Args.back().RV, ArgTypes[I], Arg->getExprLoc(),
CalleeDecl, ParamsToSkip + I);		CalleeDecl, ParamsToSkip + I);
}		}

// Un-reverse the arguments we just evaluated so they match up with the LLVM		// Un-reverse the arguments we just evaluated so they match up with the LLVM
// IR function.		// IR function.
std::reverse(Args.begin() + CallArgsStart, Args.end());		std::reverse(Args.begin() + CallArgsStart, Args.end());
return;		return;
}		}

for (unsigned I = 0, E = ArgTypes.size(); I != E; ++I) {		for (unsigned I = 0, E = ArgTypes.size(); I != E; ++I) {
CallExpr::const_arg_iterator Arg = ArgBeg + I;		CallExpr::const_arg_iterator Arg = ArgBeg + I;
assert(Arg != ArgEnd);		assert(Arg != ArgEnd);
EmitCallArg(Args, *Arg, ArgTypes[I]);		EmitCallArg(Args, *Arg, ArgTypes[I]);
emitNonNullArgCheck(*this, Args.back().RV, ArgTypes[I], Arg->getExprLoc(),		EmitNonNullArgCheck(Args.back().RV, ArgTypes[I], Arg->getExprLoc(),
CalleeDecl, ParamsToSkip + I);		CalleeDecl, ParamsToSkip + I);
}		}
}		}

namespace {		namespace {

struct DestroyUnpassedArg : EHScopeStack::Cleanup {		struct DestroyUnpassedArg : EHScopeStack::Cleanup {
DestroyUnpassedArg(llvm::Value *Addr, QualType Ty)		DestroyUnpassedArg(llvm::Value *Addr, QualType Ty)
▲ Show 20 Lines • Show All 745 Lines • Show Last 20 Lines

lib/CodeGen/CodeGenFunction.h

Show First 20 Lines • Show All 2,837 Lines • ▼ Show 20 Lines	public:
void EmitCheck(ArrayRef<std::pair<llvm::Value *, SanitizerKind>> Checked,		void EmitCheck(ArrayRef<std::pair<llvm::Value *, SanitizerKind>> Checked,
StringRef CheckName, ArrayRef<llvm::Constant *> StaticArgs,		StringRef CheckName, ArrayRef<llvm::Constant *> StaticArgs,
ArrayRef<llvm::Value *> DynamicArgs);		ArrayRef<llvm::Value *> DynamicArgs);

/// \brief Create a basic block that will call the trap intrinsic, and emit a		/// \brief Create a basic block that will call the trap intrinsic, and emit a
/// conditional branch to it, for the -ftrapv checks.		/// conditional branch to it, for the -ftrapv checks.
void EmitTrapCheck(llvm::Value *Checked);		void EmitTrapCheck(llvm::Value *Checked);

		/// \brief Create a check for a function parameter that may potentially be
		/// declared as non-null.
		void EmitNonNullArgCheck(RValue RV, QualType ArgType, SourceLocation ArgLoc,
		const FunctionDecl *FD, unsigned ParmNum);

/// EmitCallArg - Emit a single call argument.		/// EmitCallArg - Emit a single call argument.
void EmitCallArg(CallArgList &args, const Expr *E, QualType ArgType);		void EmitCallArg(CallArgList &args, const Expr *E, QualType ArgType);

/// EmitDelegateCallArg - We are performing a delegate call; that		/// EmitDelegateCallArg - We are performing a delegate call; that
/// is, the current function is delegating to another one. Produce		/// is, the current function is delegating to another one. Produce
/// a r-value suitable for passing the given parameter.		/// a r-value suitable for passing the given parameter.
void EmitDelegateCallArg(CallArgList &args, const VarDecl *param,		void EmitDelegateCallArg(CallArgList &args, const VarDecl *param,
SourceLocation loc);		SourceLocation loc);
▲ Show 20 Lines • Show All 183 Lines • Show Last 20 Lines

test/CodeGen/catch-undef-behavior.c

Show First 20 Lines • Show All 365 Lines • ▼ Show 20 Lines	void call_decl_nonnull(int *a) {

// CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg		// CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg

// CHECK-TRAP: call void @llvm.trap() [[NR_NUW]]		// CHECK-TRAP: call void @llvm.trap() [[NR_NUW]]
// CHECK-TRAP: unreachable		// CHECK-TRAP: unreachable
decl_nonnull(a);		decl_nonnull(a);
}		}

		extern void memcpy (void , const void *, unsigned) __attribute__((nonnull(1, 2)));

		// CHECK-COMMON-LABEL: @call_memcpy_nonnull
		void call_memcpy_nonnull(void p, void q, int sz) {
		// CHECK-COMMON: icmp ne i8* {{.*}}, null
		// CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg
		// CHECK-TRAP: call void @llvm.trap()

		// CHECK-COMMON: icmp ne i8* {{.*}}, null
		// CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg
		// CHECK-TRAP: call void @llvm.trap()
		memcpy(p, q, sz);
		}

		extern void memmove (void , const void *, unsigned) __attribute__((nonnull(1, 2)));

		// CHECK-COMMON-LABEL: @call_memmove_nonnull
		void call_memmove_nonnull(void p, void q, int sz) {
		// CHECK-COMMON: icmp ne i8* {{.*}}, null
		// CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg
		// CHECK-TRAP: call void @llvm.trap()

		// CHECK-COMMON: icmp ne i8* {{.*}}, null
		// CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg
		// CHECK-TRAP: call void @llvm.trap()
		memmove(p, q, sz);
		}

// CHECK-COMMON-LABEL: @call_nonnull_variadic		// CHECK-COMMON-LABEL: @call_nonnull_variadic
__attribute__((nonnull)) void nonnull_variadic(int a, ...);		__attribute__((nonnull)) void nonnull_variadic(int a, ...);
void call_nonnull_variadic(int a, int *b) {		void call_nonnull_variadic(int a, int *b) {
// CHECK-COMMON: [[OK:%.]] = icmp ne i32 {{.*}}, null		// CHECK-COMMON: [[OK:%.]] = icmp ne i32 {{.*}}, null
// CHECK-COMMON: br i1 [[OK]]		// CHECK-COMMON: br i1 [[OK]]

// CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg		// CHECK-UBSAN: call void @__ubsan_handle_nonnull_arg
// CHECK-UBSAN-NOT: __ubsan_handle_nonnull_arg		// CHECK-UBSAN-NOT: __ubsan_handle_nonnull_arg

// CHECK-COMMON: call void (i32, ...) @nonnull_variadic		// CHECK-COMMON: call void (i32, ...) @nonnull_variadic
nonnull_variadic(a, b);		nonnull_variadic(a, b);
}		}

// CHECK-UBSAN: ![[WEIGHT_MD]] = !{!"branch_weights", i32 1048575, i32 1}		// CHECK-UBSAN: ![[WEIGHT_MD]] = !{!"branch_weights", i32 1048575, i32 1}

// CHECK-TRAP: attributes [[NR_NUW]] = { noreturn nounwind }		// CHECK-TRAP: attributes [[NR_NUW]] = { noreturn nounwind }